Reorganize and make the Outlook Addressbook more secure.

(in Office 365 Exchange Online)

In this article I show you how you can set up the Outlook addressbook and  make it more interesting and more secure. By segragating users

When the Outlook Addressbook is used “as is” it can be pretty messy. Out-of-the-box the addressbook is setup to show every user everything that is in there. For smaller organizations this is not a problem. For a bigger organization it can be a problem. It is not very insightfull for a user or helpful to find someone he might not know the name of.

If set-up correctly you can also make use of the hierarchical structure of the addressbook where you can see who is working in the same department or school, who is the manager and who has the same manager. In the image you see this refelected. I will explain more about this later and show you how to accomplish this.

So you do not need to know the exact name of someone to be able to find the person you need. You need to know the department or the school or a co-worker or manager of the person you are looking for.

In a nuttshell you can organize the addressbook by adding and/or changing the Addressbook policy and Addresslists. To separate users into several addresslists you can create order.

You create Addressbook policies witch contains the addresslists of your choice. Then you configure the User to the correct Addressbook policy. In this way you can determine wich Adresslists and users are visible to this user. So a staff member can see much more then a student.

Out-of-the-box Outlook comes with the standard Addresslists like All Rooms, All Users, All Distribution Lists and so on. When you take some time to get things organized into departments for example this looks a lot better.

This makes it easier for users to find someone. Just by clicking the appropiate addresslist you could find someone of a department you do know the name off, without the need to know the name of the person you are looking for. When everybody had set up a profilephoto live just got easier for everybody.

This is not only a good idea for usabillity purposes, it is also a good strategy from a security standpoint. When a hacker is successful to get into just one account, he can see and get is hands on all of the account information of the entire organization! He will be very happy.

So in my case there were about 16 separate schools within the same organization where the students of the individual schools had nothing to do with each other. So they had no business or need to see the students of another school. So I wanted to change this.

User Icons

Besides making the addressbook more organized I also wanted to make the Addressbook look better by setting an profile icon image for all the users who did not have done this for them selfs. It might even encourage users to set a personal photo when they see the new icons. Even is this is not the case it looks a lot better then the default with the initails.

How far you want to take this is up to you and the organization you work for. If you have the correct attributes setup you can set an icon image even with the correct gender. In the image you see a male and female student as one icon you can set for all the students. And you see a male and female teacher icon you set appropiatly.

If you want to take this even a level further you can have different background colors to make a distinction between the separate schools or business units.

So It looks nicer and helps with security. How? When people are sharing sensitive information with others it can make a big difference if you send this to the wrong person. For instance you could have 2 John Davidson’s having an account at a school. If neither of them have uploaded a userphoto you can easily make a mistake. If you can see instantly from the icon if it is a student or a staff member it can make a big difference wich John Davidson you send the Exam questions to! When setting different standard icon’s you can help to reduce these kind of mistakes.

The technicallity of it

So what do we need to do? First off all we need the correct information on all of the accounts. This means that we have the different user fields filled with the right information. Maybe this is something you allready have setup. You could use fields like Title/Jobtitle or Department.

So in my Office 365 test tenant I have the following organization structure:

The organizations is a school community wich as a whole is named “School voor Office 365”. They have staff members who work for all the schools and services within the organization.

There are also three individual schools:

School voor Microsoft Teams

School voor SharePoint

School voor Outlook

These schools have a Teaching staff and Students, class rooms, conference rooms and office spaces. After delibaration we have decided we need to organize it in such a way that the students see only the teaching staff and students of within the same school they are attending. The teaching staff and other staff members need to see all of the staff and all of the students. It would be very helpful if this was organized in Addresslists. We also choose to separate the teaching staff from the students in two addresslists. The teaching staff will end up listed in the Addreslist called Team with the name of the school and the students in a Adresslist with the name of the school.

So for example Addreslist: “Team MSTeams” for teaching staff and for the students Addreslist: “School voor MSTeams”

So we need to start to devide the entities in the addressbook into addresslists. And I write entities because we not only have user accounts but also class rooms and office spaces to organize. We also will setup addresslists for the departments like Marketing and IT Services.

Remember we need an Addressbook policy (ABP) to wrap arround the Addresslists and then set this policy to the right users? So if we look at the Use case we can see we need four Addressbook Policies. For each individual school a separate ABP and for the staff members another ABP. So if we take a look with PowerShell we see this when we are done:

And the details of one of the ABP’s show the Addresslists that are configured.

In a envirenmont where nothing is configured for the Addressbook and everything is left default we get no results when we run the cmdlet: Get-AddressBookPolicy

On the other hand when we ask for the AddressLists in a default tenant we see this:

We see here something we are going to need to get what we want. This is the Recipient filter. We want Addresslists wich contain the different entities organized per school or business unit. In order to make this work we need the correct information in the details of the mailaccounts. Think of information of the department or school name a users mailbox belongs to.

There are several ways on how this can be accomplished. You can create this by using the Local On-Prem Active Directory and fill certain fields (called attributes) with the right information. For example a user account has the “Department” field or attribute we can use. Later we can filter on this to get the addresslist filled.

This can be done by hand or this is an automated proces by configuring Human Resource software and Active Directory to work together. When this is a organization that does not have many changes each week this could be a manual proces. Maybe you could start with a bulk import and then administer this by hand every time a person is leaving or joining the organization. In a school with 14.000 students and many changes everyday this is not how you would do things.

I want to keep this article also readable for non-it personal so I will keep the technical details for another article. It sufices to say that in larger organizations the administration of user details is something that is hopefully automated in some way. So lets assume we have the right information in the right place.

In a Office 365 envirenmont the local Active Directory is synchronized to the Cloud counterpart of this directory. So this scenario will work also for Exchange Online.

In my tenant I use another field to fill with the correct information. The reason behind this is that sometimes the Department field (and some others) can be edited by the owner of the user account. And if this would happen it could mess up our intention to organize because our recipient filter would not work anymore if it would depend on this field.

The implementation of this field is something I will write about another time but for now if you see examples of the recipient filters in this article and you see something like CustomAttribute think Department or Job Title.

Lets take an example and see this in action:
(by the way: Deelnemer means “student”)

This is the Addresslist for the School for MSTeams wich will contain the students of this school.

RecipientFilter : ((((CustomAttribute1 -like ‘Deelnemer’) -and (CustomAttribute3 -like ‘*-MSTEAMS’))) -and (RecipientType -eq ‘UserMailbox’))

If we take a look at the screenshot of the organization tab of a user we see that the Job Title field contains “KLAS04-MSTEAMS”. (The same information is in the CustomAttributefield3) Our filter from the example selects all the students (Deelnemer in CustomAttributefield1) and with anything (wich is the * ) and “-MSTEAMS”. This is the reason why this user is on this particular addresslist.

The same is the case for another addresslist witch lists the staff for the same school. They have similar information in the fields and a Recipient field that looks a lot like the previous example. (Docent means “teacher”). See below.

Team MS Teams ((((CustomAttribute1 -eq ‘Medewerker’) -and (CustomAttribute3 -like ‘*MS Teams’))) -and (RecipientType -eq ‘UserMailbox’))

By the way: All personal information you see is from my testing tenant wich is only filled with User data wich is generated by a Fake user data generator. You can find these online. I used this one.